Facebook and Private Communications: A Matter of Incompatibility

When Mark Zuckerberg announced at the beginning of the month that Facebook will shift its focus to privacy-focused communications, the announcement was rightly met with skepticism. Facebook’s business model, after all, is built around targeting advertisements to users based on their information. Compound this with the various privacy scandals that have plagued Facebook in the last few years—from Cambridge Analytica misusing up to 50 million users’ data to massive data breaches—and the company’s decision to shift its focus to privacy seems positively disingenuous. Just last week, the news broke that a bug in Facebook’s password management system caused hundreds of millions of user passwords to be stored as plaintext—that is to say, not encrypted—in an internal platform, putting them at risk. Given its history, Facebook is hardly a company that you would want to trust with your most private communications, which brings me to my main point: It would seem to me that Facebook, as a social network, is inherently at odds with secure, private communications. Here’s why:

There’s No Such Thing as a Free Lunch

Facebook, as a social network, is free – well, technically. When the scandal around Cambridge Analytica first broke, Vaporstream CEO Galina Datskovsky pointed out that when it comes to social networks like Facebook there’s no such thing as a free lunch. In other words, when you use a free service like a social media app, the service provider needs to find a way to monetize their user base. For Facebook, that has been through advertising and monetization of personal data. With Zuckerberg’s announcement that Facebook plans to shift its focus to private communications, many are asking how Facebook is going to monetize this shift. Facebook makes money off of people’s data—and now they’re suggesting they want to store less of it—so what does that mean for Facebook as a business? Zuckerberg has been vague about what Facebook’s new business model is going to look like. This leaves me and many others wondering….

In the past we’ve written about the difference between privacy and security. Privacy is not only about end-to-end encryption, which protects messages from being intercepted while they’re in transit—it’s also about content control, which protects the message once it’s on the recipient’s device from being leaked via screenshot, for example. As part of Facebook’s announcement, Zuckerberg announce his intention to unify Instagram, WhatsApp, and Facebook Messenger so that messages can travel across the platforms. However, only WhatsApp has end-to-end encryption enabled by default. If Facebook wants to unify its chat services, it is also going to need to make sure users understand how to recognize and control end-to-end encryption if they’re chatting across apps.

From what we’ve witnessed it also appears that Zuckerberg seems to think that end-to-end encryption is the end-all be-all for privacy. In August of 2016, when WhatsApp announced they’d be sharing limited amounts of data with Facebook, Facebook assured the public that end-to-end encryption meant that neither Facebook—nor anyone other than the senders or recipients could read the messages. In a congressional hearing last year, Zuckerberg again assured politicians that Facebook could in no way access Whatsapp messages because they were encrypted. Yet, we’ve seen in the recent news leaks of Whatsapp messages with serious consequences. End-to-end encryption protects messages in-transit but doesn’t necessarily protect them once they’ve been received or if they’ve been backed up. In its messaging, Facebook hasn’t addressed this, just like many messaging apps have failed to do.

There are Contexts for Private Communications and Social Media isn’t One of Them

At Vaporstream, we are a huge proponent of private and secure communications, but we also recognize there are contexts where private communications platforms do not always make the most sense. People use social media to share information with many people—from thoughts on current events to announcing life events. In its current avatar, Facebook has already grappled with spread of misinformation and online harassment. As with any technology tool, private communications can be abused and the same people who spread misinformation and harass online may have an opportunity to practice the same behavior through private communications with impunity. Private communications platforms are critical for sensitive conversations like financial concerns, business transactions, and discussions about healthcare—but they don’t necessarily make sense in the context of social media. Facebook has a responsibility to deal with spread of misinformation and online harassment; shifting their focus to private communications may further complicate those issues for them.

We have yet to see what will happen with Facebook’s new announcement—Facebook has in the past announced upcoming privacy-forward features and not delivered. Facebook’s shaky history with privacy and this new announcement raises interesting questions about when it makes sense to use private communications and how to decide whether a private communications platform is truly private. At Vaporstream, we work to provide enterprises with a secure and private communications platform that protects messages both in-transit and on the device. To learn more about what makes us secure, download our NowSecure case study on security and compliance assurance.